Volver al hub

Powershell Downloads

This query detects powershell downloads using `Start-BitsTransfer`, `Invoke-WebRequest`, or `System.Net.WebClient`.

EDRhuntingT1059
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

#event_simpleName=CommandHistory
| CommandHistory=/Invoke\-WebRequest|Net\.WebClient|Start\-BitsTransfer/i
| regex("(?<URL>https?://[^'\"]+)", field=CommandHistory)
| replace("https://", with="", field=URL, as=ShortURL)
| replace("\/.*", with="", field=ShortURL, as=otx_lookup)
| UrlBase:="https://otx.alienvault.com/indicator/domain/"
| format(format="[Alienvault](%s%s)", field=[UrlBase, otx_lookup], as=DomainLookup)
| table([DomainLookup, URL, ComputerName, UserName, CommandHistory], limit=20000)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.